asyncrat

General

Target

4d893cc9cad144508ab60d967de1af6ff37f2049c7adc73b756812444c0f151f
Size

819KB
Sample

240814-zhx4rayank
MD5

d43179e5cb6353e4de7038bdc47b01ac
SHA1

2af16fcb37dd760d46c43c895e66e08eaf3ce4e7
SHA256

4d893cc9cad144508ab60d967de1af6ff37f2049c7adc73b756812444c0f151f
SHA512

e6fc5976a203dfc4ea7436721f5eb9a580c212f790e4d3acf90f4ae48525535816aa4e764ff9488408d649f7195e0465321bb063297050d88087549d33ad08fe
SSDEEP

12288:DBdlwHRn+WlYV+96qE9SR6rGiIZgUhtUJ++n0UCbMFKb7dnOu84S6Kc90Y7Y:DBkVdlYAQC6rCJhq0UQMFKb7dOu84xZq

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg

exe.dropper

https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg

Extracted

Family

asyncrat

Version

1.0.7

Botnet

014agosto

C2

telorino1581.duckdns.org:5500

Mutex

123ADSFRETFGFDkZXSkijweqsa

Attributes

delay
1
install
false
install_file
qawsedrftyujgh.exe
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Agosto 14

C2

crepoher09.duckdns.org:4050

Mutex

Firewallghdretsydufiognbcngksjplatadsfw

Attributes

delay
15
install
false
install_file
windowsdefender
install_folder
%AppData%

aes.plain

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

nj3100.duckdns.org:3100

Mutex

c33a6d2b674

Attributes

reg_key
c33a6d2b674
splitter
@!#&^%$

Targets

- Target
  
  4d893cc9cad144508ab60d967de1af6ff37f2049c7adc73b756812444c0f151f
- Size
  
  819KB
- MD5
  
  d43179e5cb6353e4de7038bdc47b01ac
- SHA1
  
  2af16fcb37dd760d46c43c895e66e08eaf3ce4e7
- SHA256
  
  4d893cc9cad144508ab60d967de1af6ff37f2049c7adc73b756812444c0f151f
- SHA512
  
  e6fc5976a203dfc4ea7436721f5eb9a580c212f790e4d3acf90f4ae48525535816aa4e764ff9488408d649f7195e0465321bb063297050d88087549d33ad08fe
- SSDEEP
  
  12288:DBdlwHRn+WlYV+96qE9SR6rGiIZgUhtUJ++n0UCbMFKb7dnOu84S6Kc90Y7Y:DBkVdlYAQC6rCJhq0UQMFKb7dOu84xZq
Score

10^/10

asyncrat 014agosto agosto 14 discovery execution rat njrat nyan cat persistence trojan
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2